make caas persist secrets idempotent

bertiethorpe · bertiethorpe · commit 109f58497141 · 2025-09-08T13:47:48.000Z
diff --git a/ansible/roles/persist_openhpc_secrets/tasks/main.yml b/ansible/roles/persist_openhpc_secrets/tasks/main.yml
@@ -14,14 +14,18 @@
   loop:
     - "{{ appliances_state_dir }}/ansible.facts.d"
     - "/etc/ansible/facts.d"
-    
+
+- name: Load existing OpenHPC secrets if present
+  ansible.builtin.setup:
+    filter: ansible_local
+  when: openhpc_secrets_stat.stat.exists
+
 - name: Write OpenHPC secrets
   template:
     src: openhpc_secrets.fact
     dest: "{{ appliances_state_dir }}/ansible.facts.d/openhpc_secrets.fact"
     owner: root
     mode: 0600
-  when: "not openhpc_secrets_stat.stat.exists"
 
 - name: Symlink persistent facts to facts_path
   file:
@@ -30,6 +34,6 @@
     dest: /etc/ansible/facts.d/openhpc_secrets.fact
     owner: root
     
-- name: Read facts
+- name: Refresh facts to pick up any new secrets
   ansible.builtin.setup:
     filter: ansible_local
diff --git a/ansible/roles/persist_openhpc_secrets/templates/openhpc_secrets.fact b/ansible/roles/persist_openhpc_secrets/templates/openhpc_secrets.fact
@@ -1,10 +1,10 @@
 {
-  "vault_azimuth_user_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_grafana_admin_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_elasticsearch_admin_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_elasticsearch_kibana_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_mysql_root_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_mysql_slurm_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_openhpc_mungekey": "{{ lookup('pipe', 'dd if=/dev/urandom bs=1 count=1024 2>/dev/null | base64') | regex_replace('\s+', '') }}",
-  "vault_alertmanager_admin_password": "{{ lookup('password', '/dev/null') }}"
+  "vault_azimuth_user_password": "{{ ansible_local.openhpc_secrets.vault_azimuth_user_password | default(lookup('password', '/dev/null')) }}",
+  "vault_grafana_admin_password": "{{ ansible_local.openhpc_secrets.vault_grafana_admin_password | default(lookup('password', '/dev/null')) }}",
+  "vault_elasticsearch_admin_password": "{{ ansible_local.openhpc_secrets.vault_elasticsearch_admin_password | default(lookup('password', '/dev/null')) }}",
+  "vault_elasticsearch_kibana_password": "{{ ansible_local.openhpc_secrets.vault_elasticsearch_kibana_password | default(lookup('password', '/dev/null')) }}",
+  "vault_mysql_root_password": "{{ ansible_local.openhpc_secrets.vault_mysql_root_password | default(lookup('password', '/dev/null')) }}",
+  "vault_mysql_slurm_password": "{{ ansible_local.openhpc_secrets.vault_mysql_slurm_password | default(lookup('password', '/dev/null')) }}",
+  "vault_openhpc_mungekey": "{{ ansible_local.openhpc_secrets.vault_openhpc_mungekey | default(lookup('pipe', 'dd if=/dev/urandom bs=1 count=1024 2>/dev/null | base64') | regex_replace('\\s+', '')) }}",
+  "vault_alertmanager_admin_password": "{{ ansible_local.openhpc_secrets.vault_alertmanager_admin_password | default(lookup('password', '/dev/null')) }}"
 }
